The UK has become a nation of homeworkers. The benefits are clear, whether that be wearing slippers all day, to ditching the commute, to closing ludicrously expensive headquarters. But how do we ensure that our businesses remain secure when staff work remotely, out of sight, using an IT estate that’s largely out of our control? We’ve identified six key areas that businesses must consider if they’re to stay secure, compliant and prosperous.
Know your devices
During lockdown, businesses across the UK scrambled to get their people online as quickly as possible. In the push to provide unbroken service to customers, and to save both time and money, many took a gamble and allowed employees to use their own devices. While this filled a gap at a critical moment, it’s vital to remember that such companies may have little to no control over how the security settings on these devices are configured, exposing them to far-reaching security issues. Now that working from home has become the ‘new normal’, companies still reliant on employee devices really must establish a robust ‘BYOD’ (Bring Your Own Device) policy to ensure that their people follow appropriate security guidelines. The National Cyber Security Centre has some invaluable advice: https://www.ncsc.gov.uk/collection/mobile-device-guidance/bring-your-own-device
It’s also crucial that your people are familiar with the common features of phishing attacks. Ingeniously crafted to reflect the look of topical or urgent stories, these emails may even echo the vocabulary used in your field of work. With more of your staff working from home long-term, now’s the time to coach them in what to look for – domain name misspellings or subtle tweaks, tell-tale grammar or spelling mistakes, or calls to action with poorly titled attachments. There’s much more detail on The National Cyber Security Centre website: https://www.ncsc.gov.uk/collection/small-business-guide/avoiding-phishing-attacks
Safeguard your network
Allowing staff to use their home networks to connect to the internet comes with its own perils. Security features present in the office such as encryption and firewalls may well be missing or out of date in the home. The result is that data transit between your team’s disparate locations may not be entirely secure – particularly risky if you’re working with personal or confidential information. There are several solutions. One answer is to use a VPN – an encrypted network connection providing your people with secure remote access to your company’s files, email, and core IT activities. This VPN is your secure channel and lifeline, but can be onerous to set up and maintain. Another option is to adopt a ‘zero trust’ policy in which all communications are protected by strong authentication, authorisation and the innate health of your devices. Read more here: https://www.ncsc.gov.uk/collection/mobile-device-guidance/virtual-private-networks
Establish a strong password policy
Weak or reused passwords are a chink in your business armour, so don’t recycle them. Having a strong password policy is especially important when staff work remotely, and it’s important that your people also understand what a strong password really is. The days of remembering a jumbled sequence of letters, numbers and symbols are over – modern advice is to adopt three-word passphrases, which are far easier to remember and provide better protection. If you’re struggling to remember all your passphrases, a password manager may help, and will also force you to review and change any weak passwords in your portfolio. Learn how create strong passwords here: https://www.ncsc.gov.uk/cyberaware/home#section_2
Be mindful of third-party reliance
We’ve all heard the ZOOM meeting horror stories of video calls conducted in front of pinboards crammed with confidential information. Scary enough, but the risks run deeper than faux pas like these. While cloud-based applications like Microsoft Teams help bring us together, it’s good to remember that over-reliance exposes your business to third party insecurities and outages. Ensure that all your people use the latest versions of all applications, and that you build additional security into your use, by creating strong passwords and multi-factor authentication. Find valuable information here: https://www.ncsc.gov.uk/guidance/video-conferencing-services-security-guidance-organisations
Consider certification in ISO 27001
ISO 27001 is one of the fastest growing standards in the ISO family, and crucial now that many UK businesses adopt long-term homeworking. This standard creates a robust set of rules for maintaining your data integrity and confidentiality, embedding security into the way your business works at every single step. With this ISO standard, many of the considerations described above will become an intrinsic part of day to day working, taking the ‘to-do’ out of cyber-security, and making it more ‘that’s how we roll’. It’s the must-have standard for the strange new normal in which we all find ourselves.